RealTime IT News

Feds Push Banks on Security Alerts

Banks need to immediately inform customers of security breaches, according to new guidance handed down by federal banking authorities this week.

The "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice" calls for all U.S. banks to have a response procedure in place in the event a hacker accesses private customer data.

It doesn't apply to commercial or business accounts or to customers who disclose information to a third-party, like a fraudulent Web site.

A proper procedure includes banks conducting an investigation when becomes aware of a possible breach and notifying customers when appropriate. The guidance doesn't require banks to immediately notify customers in every case, especially if the notification hinders an investigation by law enforcement officials. In that case, a warning can be delayed. However, the bank is required to notify its primary federal regulator, whether officials notify customers or not.

The rules were produced by the Federal Reserve System (FRS), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Office of Thrift Supervision (OTS).

While it's not a federal law, the guidance is something that no banker -- subject to yearly examination by regulators -- will ignore, said John Hall, a spokesman for the American Bankers Association (ABA).

"I've never known any bank compliance officer that treats a guidance as anything other than a rule," he said.

One of the concerns at the ABA of the original draft of the guidance, Hall said, was that it was too rigid, and not flexible enough to allow banks to adopt their own response mechanisms.

"You don't want to create a 'cry wolf' mentality where customers are getting these [notifications] so often that they become numb to them," he said. "So you want to make sure that they are appropriate, that you send them out at an appropriate time and for appropriate reasons. We just want to make sure it would be an effective notification."

The guidance has been in the works since 2003 but was likely given more notice as a result of a recent string of publicly announced security breaches. In February, the Bank of America (BoA) admitted losing data tapes containing personal information on as many as 1.2 million federal employees.

Then data broker ChoicePoint stopped selling some of its accumulated personal information after it was discovered that the information on more than 145,000 people might have been compromised.

Last week ChoicePoint and LexisNexis, which was involved in a data breach scandal of its own recently, told a House panel they favored federal legislation requiring data brokers to notify customers in case of a leak.

Currently, only the California has such a requirement for companies doing business in its state.